26 Jul
2019
26 Jul
'19
9:12 a.m.
Hi Simon,
I haven’t read this thread yet but just wanted to chime in to mention that Thomas
Delafosse had worked on this in the past and had an implementation for it. AFAIR he even
pushed a PR for it (which is probably still existing). Could be interesting to see what he
did. We also probably discussed it on the devs list at the time but that might be harder
to find so it’s good you’re asking again (and time has passed so what we said back then
could be different today!).
Thanks
-Vincent
On 25 Jul 2019, at 10:39, Simon Urli
<simon.urli(a)xwiki.com> wrote:
Hi everyone,
I'm currently working on improving security on XWiki comments. We already use a
restricted mode in our comments but that does not cover every possible case. In order to
improve it we should also filter out some part of the html when using the html macro.
I propose:
(a) that we use a configurable whitelist of HTML attributes that would be allowed in the
output HTML: all the other attributes would be filtered out.
(b) that the HTML macro is put in restricted mode for users who do not have scripting
rights.
For (a) I'm hesitating between a whitelist or a blacklist: I assume a blacklist would
be shorter but there's also more risk of missing something. On the contrary a
configurable whitelist doesn't prevent administrator to accept more than what we give
in standard.
A first whitelist could be (taken from:
https://github.com/xwiki/xwiki-platform/pull/122/files#diff-c33fcb5dca86b15…)
alt, class, height, id, name, rel, scope, style, target, title, width
Note that href is not included in this list for example.
WDYT?
Simon
--
Simon Urli
Software Engineer at XWiki SAS
simon.urli(a)xwiki.com
More about us at http://www.xwiki.com